The Securities and Exchange Commission fired another shot across the bow of the securities industry last month, and this time decided to use a new weapon in its arsenal.
A Los Angeles brokerage firm, Crowell, Weedon & Co., became the first company to be sanctioned by the SEC under the USA Patriot Act—yes, that Patriot Act, intended to crackdown on money-laundering and other activity that might support terrorism. The SEC cited Crowell Weedon for failing to document and enforce its customer identification program properly.
In a settlement with the agency, Crowell Weedon did not admit it violated the Patriot provisions relating to identity verification procedures for new accounts, but did agree to desist from any further violations of the law. (Crowell Weedon was never charged with actually helping any terrorist organizations.)
Thomsen
Linda Chatman Thomsen, director of the SEC’s Enforcement Division, said in a statement that the Patriot Act “imposes important obligations on broker-dealers to protect against money laundering and terrorist financing. This action demonstrates the Commission’s commitment to enforce laws within its jurisdiction that are designed to prevent and detect money laundering and related activities.”
Companies outside the financial sector need not worry too much; the Patriot Act’s anti-money laundering provisions only apply to financial institutions such as banks and broker-dealers. But for those in financial services, legal observers say the sanction is a stern reminder from the SEC that not just the Treasury and Justice Departments can use the Patriot Act to compel compliance. “It’s very safe to assume that the SEC is looking at this more closely,” says Jeffrey Hare, a partner with Thacher Proffitt & Wood. “I would suggest that this not an isolated incident but a sign of things to come.”
Bishop
Keith Bishop, of the Buchalter, Nemer, Fields & Younger law firm, notes that “whenever you have a new law or regulation that the SEC wants people to pay attention to, the way to do that is to bring an enforcement action—to send a message that you want compliance.” Bishop says that other similar enforcement actions could be forthcoming. “Hopefully the publicity such actions bring will motivate people who haven’t been dotting their Is and crossing their Ts to go back and start doing so.”
‘Know Your Customer’
Enacted just weeks after the Sept. 11, 2001 attacks, the Patriot Act amended the Bank Secrecy Act to require that all companies qualifying as “financial institutions” establish anti-money laundering programs. An AML program must be in writing and include:
the development of internal policies, procedures and controls;
the designation of a compliance officer;
an ongoing employee training program; and
an independent audit function to test programs.
Although the Treasury Department regulates this provision of the Patriot Act for banks and other more traditional financial institutions, broker-dealers come under the auspices of the SEC.
Hare
Although compliance with the anti-money laundering rules can be “difficult – and it’s definitely costly,” Hare says better training can alleviate problems. “It’s good to get a new customer but it’s better to get a new customer that you’ve gone through the steps and confirmed,” he says. Section 17(a) of the Securities Exchange Act requires broker-dealers to comply with the reporting and record retention provisions of the Bank Secrecy Act. These regulations include a “consumer identification program,” where broker-dealers must establish, document and maintain procedures for verifying the identities of customers opening new accounts.
EXCERPT
Below is an excerpt from the SEC complaint against Crowell Weedon & Co.
From October 2003 to at least late April 2004, Respondent’s written CIP failed to
describe accurately the process Respondent used to verify customer identities. Instead, it used procedures that were materially different and weaker than those in the CIP. The written CIP stated that Respondent would use certain documentary (e.g., check government issued identification) and non-documentary (e.g., database search) methods to verify the identity of each customer. Respondent, however, simply relied on its registered representatives to indicate that they had personal knowledge of the customer’s identity. By failing to accurately document its customer verification procedures, Respondent violated Section 17(a) of the Exchange Act and Rule 17a-8 thereunder ...
The procedures set forth in the CIP specified that Respondent would document its
verification, including all identifying information provided by the customer, the methods used and results of the verification, and the resolution of any discrepancy in the identifying information. They further specified that Respondent would keep records containing a description of any document that it relied on to verify a customer’s identity, noting the type of document, any identification number contained in the document, the place of issuance, and if any, the date of issuance and expiration date. Similarly, the procedures specified that, with respect to non-documentary verification, Respondent would retain documents that describe the methods and results of any measures taken to verify a customer’s identity, including downloading verification information from a third-party vendor.
Between October 1, 2003 and late April 2004, Respondent opened approximately
2,900 new accounts for customers. However, Respondent did not follow the verification and
documentation procedures set forth in the CIP. Specifically, it did not review photo identifications from individuals when available, use the non-documentary methods set forth in the procedures, or document its verification in accordance with its written CIP. Rather, Respondent generally relied on its “Know Your Customer” policy and its registered representatives indicating that they had personnel knowledge of the customer. Typically, the registered representative stated on the new account form that the customer was known to him or her because the customer was a family member or social acquaintance, a referral from an existing customer, or a customer with an existing or previous account.
Source
SEC (May 22, 2006)
That requirement for a customer identification program is what tripped up Crowell Weedon. The firm did have a CIP, which specified that it would verify the identity of its customers through various documentary and non-documentary means (such as reviewing government-issued identification and doing a database search).
But, the SEC said in its complaint, Crowell Weedon’s actual program for verifying customer identities “did not use the specified procedures contained in its written CIP.” Rather than ask for photo identification or other records, the company generally relied on a “know your customer” policy where its registered representatives stated on new accounts that the customer was a personal acquaintance of some kind.
Cracking Down On Follow-Through
Michael Vatis, a former deputy U.S. attorney general who is now a partner at Steptoe & Johnson, says the enforcement action against Crowell Weedon should “be a wakeup call” to other broker-dealers. “But I hesitate to say that it will be,” he adds. “I’ve seen too many areas where something should be a wakeup call and people keep hitting a snooze button. Usually it takes more than one instance to get their attention.”
And “as is often the case in these sorts of areas,” Vatis adds, Crowell Weedon actually had a proper anti-money laundering policy, but apparently failed to follow it thoroughly.
“When there’s a clear statutory requirement for some sort of record-keeping, companies are usually pretty good about instituting those policies,” he says. “But enforcement requires a daily or regular oversight mechanism to make sure that people are abiding by the policy. I work a lot in data security and that area is full of examples of this phenomenon; companies have a policy in place but individual employers or contractors don’t follow the policy.”
Ference
Michael Ference, a partner with the law firm Sichenzia Ross Friedman Ference, says that while the SEC was “definitely trying to send a message” with the Crowell Weedon enforcement, “the message was somewhat confusing. A cease-and-desist [order] is not exactly a severe sanction,” especially given the hundreds of violations Crowell Weedon allegedly made over the course of more than a year.
Ference says that the SEC, as well as the New York Stock Exchange and the National Association of Securities Dealers, are concerned about financial institutions not only having a compliance program in place, but also implementing them “and perhaps most importantly, documenting them. Any firm will tell you the best evidence of compliance is written documentation [that you have been] implementing the procedures.”
Ference contends that cases like the Crowell Weedon enforcement are relatively easy for the SEC and other regulators to bring. In Crowell Weedon’s case, “there was no written documentation of follow-through—of whether identifications were received from the individual accounts that were opened. If you don’t document, they’re going to bring the case. There’s really no defense to it. In a routine audit or cycle audit, it will be very easy to determine whether you’ve complied with the law and your own procedures.”
No comments yet